"For Apple, the use of government forensic tools by criminal hackers raises questions about how cooperative it may be with Elcomsoft. The Russian company’s tool, as Zdziarski describes it, doesn't depend on any 'backdoor' agreement with Apple and instead required Elcomsoft to fully reverse engineer Apple’s protocol for communicating between iCloud and its iOS devices. But Zdziarski argues that Apple could still have done more to make that reverse engineering more difficult or impossible." Meanwhile, Nik Cubrilovic has waded into the data leak subculture that led to this incident and provides insight into the tech and the thinking behind it.

what the heck are these people thinking? Putting nude photos of yourself on a phone and synching it every which way? It's one thing if you are Joe-nobody but being a celebriry is entirely different. That's just plain stupid.

They can also provide individuals who want it - primarily high-profile individuals - stronger lock-downs such as only allowing registered devices to log in or require typing in a code that is texted to the person prior to completing the login, much like some banks already do.

You know, I'm really annoyed at Apple about this. They say that iCloud wasn't breached and it was a targeted account attack with weak passwords. But on Monday (the day after the pics were posted) they patched a flaw in Find My Friends where the account would be vulnerable to a dictionary attack:

The vulnerability allegedly discovered in the Find my iPhone service appears to have allowed attackers to use this method to guess passwords repeatedly without any sort of lockout or alert to the target. Once the password has been eventually matched, the attacker can then use it to access other iCloud functions freely.
A tool to exploit the weakness was uploaded to Github, where it remained for two days before being shared on Hacker News
Apple patched the service at 3.20am PT today. While it’s possible that the timing was coincidental, an iCloud exploit being posted online just two days before the photos appeared, and being patched shortly after the story broke, makes this seem unlikely. Apple has not yet responded to a request for comment.

so there was no icloud breach, but there was a bug that enabled a brute force attack. It's not known that this exploit was used on the celebrities, but a tool that exploits this bug was recently posted. Ok...

also, super unclassy for Apple to blame the victim, especially when these types of weaknesses are buried in their code.

Security questions do not work for public figures. Almost none of them will hold up to people whose whole lives are pointlessly documented.

Modern social media can also be used to identify personal information of regular people.

If you look at the anon-in.com logs where they operate, you can see hackers asking each other "What car is this?" with posts of random hot girls cars that they collected from Facebook or wherever. They then use this to break the iCloud security questions for said hot girls and get their nudes.

Also, you don't even need social media accounts to be targeted via social media. Just having friends that posts pics with your bits of identifying info is enough.

And I am sure you realize that the 2factor Authorization as currently designed and utilized by Apple only protects against your account data being used to purchase things from the AppStore and interact with your account.

Details are at http://support.apple.com/kb/ht5570 [apple.com] and quoting from there:
It requires you to verify your identity using one of your devices before you can take any of these actions:

Apple obviously wants iCloud and your ITMS credentials to be the iGateway to your life and all your devices and whatnot. They also emphasize security, elegance, and ease of use in their advertising, and cater to a relatively upmarket audience, for the most part.

Why, then, can you not even buy any serious security? Yes, they have 'two factor authentication', of the kind where you have a username, password, and they send you a temporary PIN to one of your devices; but money simply cannot buy a certificate authentication mechanism. Nor an RSA-fob or equivalent. Hell, your WoW character can be protected by a hardware auth fob; but your entire iLife can't?

In the end(while it may well be true) Apple's insistence that the hack was based on guessing/gaining user credentials, rather than attacking Apple code, just doesn't matter. User credentials are always fairly vulnerable. If they want people to put their life 'in the cloud', they are going to have to do better than that(especially if they want celebrity users, since that's a userbase that more or less automatically includes insane stalkers).

I think the issue is that security isn't pretty, and Apple wants pretty. Look at the two-factor authentication. Having to wait until a PIN is sent to you before you can access whatever? That isn't elegant at all (from Apple's POV. It removes the one click convenience.). Personally, I'd rather have the security, but I'm a geek, like most people on Slashdot.

Working systems are available, but fools want their iThing or $20 droid and then act all surprised when their genitals end up on 4chan. It's not a new problem when was it Paris hilton's sidekick got hacked again?

if you buy trash with security ranging from "fuck it we have none" to "well I guess we tried" because it's ooh shiney let's play flappy bird that is a choice with consequences.

Actually, I recommend using multiple safes/vaults/etc with different passwords; make the passwords appropriate to the contents of the safe; and treat the safes appropriate relative to their contents.

My safe with my passwords for throwaway email accounts and forum accounts, club memberships, etc is fairly simple. (It still counts as strong by all usual metrics, but its easy for me to remember and type in, which is good because I have to type it several times a day on average -- sometimes via a smartphone keyboard. Its sync'd via cloud to my smart phone, laptop, work computer, etc.

My safe with passwords for my life savings, domain registrar, email account and other assets which would be quite devastating to lose is MUCH longer and stronger, and it isn't synchronized with my devices. (Actually I have 4 - 5 safes with different groups of passwords in them.)

If you use a strong enough password then you'll be fine.

Unless you get hit with a keylogger. Then you lose everything. Does it really even make sense to have your online pay-parking app passwords and your numbered offshore banking in the same vault? All protected by the same password?

Its just silly.

And its another reason why I've split things up. If the phone gets compromised, my high value passwords aren't even in it. My higher value password safes get opened less frequently and on fewer systems, so a keylogger will have to be in the right system and wait longer to get into them -- giving me better odds of dodging the bullet, and more time to detect and remove them.